Privacy Notice

Page Content

This notice explains how the College of Policing (‘the College’) processes personal data about individuals, which includes the collection, storage, and sharing of that information. It also describes the steps we take to ensure that the personal data we hold is protected, and explains the rights individuals have in regard to their personal data handled by the College.

The processing of personal data is governed by the General Data Protection Regulation (GDPR) and relevant Data Protection legislation. The College is registered with the Information Commissioner as a 'Data Controller' [registration no: Z3458257]. As such we are obliged to ensure that all personal data is held and processed in accordance with the law.

The College takes that responsibility very seriously and takes great care to ensure that personal data is handled appropriately in order to secure and maintain individuals' trust and confidence in the College.

1. Why do we handle personal data?

The College obtains, holds, uses and discloses personal data for three broad purposes:

A. Our Core Purposes – to -

Set standards

Promote evidence-based good practice

Accredit training providers

Support partnership working

Lead on ethics and integrity

B. The Policing Purpose – which include (but not limited to):

the prevention and detection of crime;

apprehension and prosecution of offenders;

protecting life and property;

preserving order;

maintenance of law and order;

rendering assistance to the public in accordance with national police standards, policies and procedures;

national security;

defending civil proceedings, and

any duty or responsibility of the police arising from common or statute law.

C. The provision of services to support our Core and Policing Purposes – which include (but not limited to):

Staff administration, occupational health and welfare;

Management of College membership and associated activities;

Training;

Payroll and benefits management;

Management of complaints;

Vetting;

Management of information technology systems;

Legal services (which includes the defending civil proceedings within the statutory limitation period);

Pension administration;

Research, including surveys and analytics;

Social Media Correspondence and Analysis

Updates, newsletters and events

The College will only use appropriate personal data that is necessary to fulfil a particular purpose or purposes.

2. Our lawful basis for processing data.

The GDPR allows for personal data to be processed under one of six conditions. With consideration to the purposes mentioned above, the College will in the majority of cases, rely on the condition of processing personal data due to it being necessary for the performance of a task carried out in the public interest or exercise of official authority vested in the College. Where the College uses information for the purposes of a newsletter mailing list or anything considered to be 'marketing' then your information will be processed under the condition of consent.

As the College processes many categories of data for various reasons, the College may also rely on other lawful basis like necessary for a contract, necessary for compliance with a legal obligation, in your vital interest, or for a legitimate interest.

Where sensitive or 'special categories' data is being collected, additional lawful basis will apply like having explicit consent, necessary for employment, social security, defending against legal claims, for a substantial public interest and for preventative or occupational health or medicine, amongst other reasons.

In each case where information is being requested by the College we will specify at the time of collection of data, usually through a service specific privacy notice, which of the lawful basis above we are relying on for the processing of that data.

3. Whose personal data do we handle?

In order to carry out the purposes described under sections 1 above, the College of Policing may obtain, use and disclose (see section 8 below) personal data relating to a wide variety of individuals including the following:

Staff of the College including volunteers, agents, temporary and casual workers;

Individuals who purchase any of our products or services;

Suppliers;

Complainants, correspondents, litigants and enquirers;

Relatives, guardians and associates of the individual concerned;

Advisers, consultants and other professional experts;

Offenders and suspected offenders;

Witnesses;

Individuals passing information to the College of Policing;

Victims (current, past and potential);

Former and potential members of staff, pensioners and beneficiaries;

Other individuals necessarily identified in the course of police enquiries and activity.

4. What types of personal data do we handle?

In order to carry out the purposes described under sections 1 above , the College of Policing may obtain, use and disclose (see section 8 below) personal data relating to or consisting of the following:

Personal details such as name, address, email and biographical details;

Family, lifestyle and social circumstances;

Skill and interests

Education and training details;

Employment details;

Financial details;

Goods or services provided;

Race and other protected characteristics (e.g. disability, age);

Other special categories of data like sexuality, religion and criminal records

Physical identifiers including DNA, fingerprints and other genetic samples;

Sound and visual images;

Criminal Intelligence;

Complaint, incident, civil litigation and accident details.

5. Where do we obtain personal data from?

In order to carry out the purposes described under section 1 above the College of Policing may obtain personal data from a wide variety of sources, other than the individual directly, which includes the following:

Other law enforcement agencies;

HM Revenue and Customs;

International law enforcement agencies and bodies;

Licensing authorities;

Legal representatives;

Prosecuting authorities;

Defence solicitors;

Courts;

Prisons;

Security companies;

Partner agencies involved in crime and disorder strategies;

Private sector organisations working with the police in anti-crime strategies;

Voluntary sector organisations;

Approved organisations and people working with the police;

Independent Police Complaints Commission;

Her Majesty's Inspectorate of Constabulary;

Auditors;

Police Authority;

Central government, governmental agencies and departments;

Emergency services;

Relatives, guardians or other persons associated with the individual;

Current, past or prospective employers of the individual;

Healthcare, social and welfare advisers or practitioners;

Education, training establishments and examining bodies;

Business associates and other professional advisors;

Employees and agents of the College of Policing;

Suppliers, providers of goods or services;

Persons making an enquiry or complaint;

Financial organisations and advisors;

Credit reference agencies;

Survey and research organisations;

Trade, employer associations and professional bodies;

Local government;

Voluntary and charitable organisations;

Ombudsmen and regulatory authorities;

The media;

Data Processors working on behalf of the College of Policing.

The College of Policing may also obtain personal data from other sources such as its own CCTV systems, training records, or correspondence

6. How do we handle personal data?

In order to achieve the purposes described under section 1, the College of Policing will handle personal data in accordance with the GDPR and relevant Data Protection legislation. In particular we will ensure that personal data is handled fairly and lawfully with appropriate justification.

We will strive to ensure that any personal data used by us or on our behalf is accurate and relevant. We will also ensure it is:

not excessive;

kept up to date as required

protected appropriately; and is

reviewed, retained and securely destroyed when no longer required.

We will also respect individuals' rights under the GDPR and relevant Data Protection legislation.

7. How do we ensure the security of personal data?

The College of Policing takes the security of all personal data under our control very seriously. We will comply with the relevant parts of the GDPR and associated Data Protection legislation relating to security, and seek to comply with the National Police Chief's Council (NPCC) Community Security Policy and relevant parts of the ISO27001 Information Security Standard.

We will ensure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect our manual and electronic information systems from data loss and misuse, and only permit access to them when there is a legitimate reason to do so, and then under strict guidelines as to what use may be made of any personal data contained within them. These procedures are continuously managed and enhanced to ensure up-to-date security.

8. Who do we disclose personal data to?

In order to carry out the purposes described under section 1, the College of Policing may disclose personal data to a wide variety of recipients, including those from whom personal data is obtained (as listed above). This may include the following:

Disclosures to other law enforcement agencies (including international agencies);

Partner agencies working on crime reduction initiatives;

Partners in the Criminal Justice arena;

Other partner agencies working with the College;

Victim Support;

To bodies or individuals working on our behalf such as IT contractors or survey organisations;

Local government

Central government

Ombudsmen and regulatory authorities

The media

International agencies concerned with the safeguarding of international and domestic national security]

Third parties involved with investigations relating to the safeguarding of national security.

To other bodies or individuals where necessary to prevent harm to individuals.

Disclosures of personal data will be made on a case-by-case basis, using the personal data that is appropriate and proportionate to a specific purpose and lawful basis, and with necessary controls in place.

Some of the bodies or individuals to which we may disclose personal data may be situated outside of the European Union - some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If we do transfer personal data to such territories, we undertake to ensure that there are appropriate safeguards in place to certify that it is adequately protected as required by the GDPR and relevant Data Protection legislation.

The College of Policing will also disclose personal data to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. The College may also disclose personal data on a discretionary basis, as allowed by law

9. What are the rights of the individuals whose personal data is handled by the College?

Individuals have various rights under the GDPR, which can be found under articles 12 to 22 of the regulation. Below are the common rights that are likely to apply to the processing of information by the College of Policing:

A. The right of individuals to access personal information held about them 'Subject Access request'

The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal data processed by the College of Policing. Details of the application process can be found on our 'Subject Access' page on our website.

The College of Policing will make it clear in our service specific privacy notices the lawful basis of why we collected that personal information. If the lawful basis was for the following three reasons then individuals will have a right to object to that processing:

The performance of a task carried out in the public interest or exercise of official authority vested in the College

For scientific or historical research purposes

For direct marketing

The College will always allow individuals to object to direct marketing as this is a specific right that individuals have under the GDPR. However, the College will consider if your objection is appropriate under the other two basis, which will depend on the justification and reasons provided. These will be balanced against the College's need to process that information and a response outlining our decision will be provided.

A request to object to the processing of personal information may be sent to the College of Policing Data Protection Officer (see section 12 below).

C. The rights to object to automated decisions and profiling

Although the College of Policing is unlikely to carry out any automated decision making that does not involve some human element, the GDPR does provide for this specific right in cases where this may occur. Subject to certain exemptions, an individual has the right to require that the College of Policing ensures that no decision that would significantly affect them is taken by the College of Policing, or on our behalf, purely using automated decision-making software. If there is a human element involved in the decision-making the right does not apply.

A request to object to the automated decision making or profiling may be sent to the College of Policing Data Protection Officer (see section 12 below).

D. The right to be forgotten (the right to erasure of personal data)

Individuals have the right to request that the College deletes personal information that is held about them. However this right will not apply in all cases.

If the College obtained information about an individual with their consent, and it relates to information that we are not required to keep by law or required to keep for a limited time while a complaint or appeal window is open then we will likely be able to comply with a request to delete the information. An example of this may be the contact details of an individual who has provided this information for the purposes of receiving a newsletter or marketing material.

However if the college is relying on another legal basis to process the personal data or the College is required to keep the data in accordance with our retention schedule or to be able to deal with complaints or appeals then a request for deletion of data may be refused under the relevant exemptions.

A request to delete personal information as described above may be sent to the College of Policing Data Protection Officer (see section 12 below).

E. The right to rectification or restriction of the processing of personal data

If an individual feels that the College of Policing holds information about them that is not accurate, they have the right to request that this is rectified and made accurate. This could be information that is felt to be incomplete or not factually correct.

If the information to be corrected is disputed and would require more time to establish the accuracy of the data, you may also request that the personal information be restricted so that further processing of that information does not take place, or if necessary, in a restricted way.

A request for rectification or restriction may be sent to the College of Policing Data Protection Officer (see section 12 below).

F. The right to data portability

Individuals have a right to a copy of their personal data in an easily accessible electronic format that can be transferred to another system (structured, commonly used and machine readable form).

This right only applies to the personal data individuals provided to the College and does not include data the College created during the processing of that data. This right only applies if the data was processed under the lawful basis of consent or for the performance of a contract.

A request for data portability may be sent to the College of Policing Data Protection Officer (see section 12 below).

F. The right to complain to the College of Policing and to the Information Commissioner's Office (ICO)

The ICO is the supervisory authority that is responsible for upholding the GDPR and related Data Protection legislation in the UK. You have the right to complain to the ICO if you believe the processing of personal data is in breach of the GDPR or related Data Protection legislation. However the ICO guidance suggests complaints should be directed to the 'Data Controller', which in this case would be the College of Policing, in the first instance to allow the College to properly address any concerns first.

In the unlikely event that you would like to raise a complaint with the College, please contact us on the details provided under section 12 below.

If after making a complaint to the College you still feel your concerns were not full addressed you can contact the ICO on the details below:

The College keeps personal data as long as is necessary for the particular purpose or purposes for which it is held. Our information is held in accordance with our Retention, Review and Disposal schedule. When an individual provides us with their information, our updated service specific privacy notices will state how long we plan to keep that specific type of data for.

11. Monitoring

The College may monitor or record and retain telephone calls, texts, emails and other electronic communications to and from the College in order to deter, prevent and detect inappropriate or criminal activity, to ensure security, and to assist the purposes described under section 1 above.

12. Contact Us

To exercise any of the rights under section 9 above relating to personal data being held by the College, a request should be made using the details below. Any individual with concerns over the way the College handles their personal data may also contact our Data Protection Officer using the details below:

The College of Policing uses cookies to collect and analyse information about the users of this website. We use this information to enhance the content and other services available on the site. By continuing to use our site, you are agreeing for us to set a small number of cookies. You can manage your preferences for Cookies at any time, for more information please see our Cookies Policy.